OPSEC for Border Travel


The canary still sings: chirp. While I was stopped at a border patrol checkpoint, the only questions I was asked was “Are you a US citizen?” (yes) and “Did you have fun in <location>?” (yes). I was not asked about, nor did I disclose any information related to any online activities. Border patrol agents did not examine, inquire about, nor tamper with any computing device in my possession.


I will be offline from 03 April to 07 April inclusive. Any updates during that time are not my work, and should be considered evidence of account compromise. This includes but is not limited to any statement which appears to rescind or modify this notice.

At some point in the coming months, I may be traveling in or near a border area of the U.S. Such travel carries the risk that I could be compelled to disclose information relating to social media to agents of Customs and Border Protection (CBP) or Immigration and Customs Enforcement (ICE). This is not a theoretical risk or hyperbole; there have been several high-profile cases recently where real people in a similar situation were forced to disclose data.

This page is for people who may have had contact with me over social media. Its purpose is threefold:

  1. Advise you that data about me, and your association with me, is at greater-than-usual risk of disclosure to government officials.
  2. Tell you what things I’m doing to mitigate these risks.
  3. Suggest things you might do to mitigate these risks.

Risks

In the unlikely-but-distinctly-possible category, government officials may obtain information about my real-life identity as well as my identity on all social media sites I use. With this information, it is trivial to see with whom I associate and what we say to one another in public via those media.

In the much-less-likely (but still possible) category, I may be forced to disclose authentication information (and provide access to the second factor for two-factor auth) to government agents. If this were to happen, they would have access to all my private conversations in social media, as well as the unlimited ability to send messages posing as me, and to delete or modify genuine content I’d sent in the past.

It is entirely possible that if either of the above things were to happen, I would be unable to legally reveal what had happened after the fact. (While I can’t point to any examples of an individual being served a nondisclosure order or similar following a border search, that’s kind of the whole point — nobody would find out.)

Any data I’m forced to share with CBP or ICE should assumed to be shared across all potentially interested agencies (both within the US government and among their nominal allies). Leaks from these agencies to the private sector happen on a regular and accelerating basis.

What I Will Do

First of all, I’m not planning to do anything naughty that would attract attention or reflect badly on people with whom I associate online. However, I recognize that this is not really any defense.

My use of social media has always been very light, and done with the understanding that nothing sent via any social media site is in any way private. This is a policy I intend to continue. “Host it yourself, on a domain you control” was, is, and will continue to be my mantra. Anything truly significant or private I will handle via email, or through a channel with end-to-end encryption, or in person.

In the coming days, I will sanitize my social media content, with an eye towards eliminating anything which could, if taken out of context, seem alarming or suspicious to a hypothetical maximally ignorant border guard.

I will not be taking any general-purpose computing device into the border area. This means no laptop, no tablet and no smartphone. (I will take a burner phone, of the cheapest “dumb” variety I can get. If it is ever out of my sight or connected to any electronic device other than a charger and cable I brought myself, it goes in the nearest garbage can — and the battery goes in the second-nearest one.)

There may be electronic devices that I need to take into the border area, and which have data storage (for example, a digital camera, a handheld GPS receiver and a mobile radio). These have never at any point held data relevant to social media, and in any case I will sanitize them prior to travel.

On every social media site that supports it, I will enable two-factor authentication, using a second factor that will not be in my possession (and which I will have no way to remotely access) during my travel.

Before travel, I will change ALL my social media passwords to long strings of random characters which I cannot possibly commit to memory. These passwords will be placed in an encrypted store on a flash drive (or similar) and physically secured, offline. The password store will not be in my possession when I travel. It will not be connected to any computer, nor accessible over any network. Neither I nor anyone else will have access to the password store until I return home.

The credentials for the recovery email address for my social media accounts will be changed to an unmemorizable string and secured as above.

I will export my online contact list as XML, encrypt it, secure it as above, and delete the online copy.

Prior to travel, I will post a prominent notice on various social media and on this page to the effect that I will be offline for a specific period of time, and any messages or posts from me during that time are the work of impostors. This includes especially any communication that appears to contradict, rescind or modify the “offline” notice.

After my return, I will update this page to include a full account of whether I was forced to disclose data, if I am legally able to do so. In other words, unless you see a “nothing happened” update, assume everything is compromised.

What You Can Do

After considering the risks, you may want to take steps to make it harder to infer a social connection between us. Such steps might include:

  • “Unfriend” or “un-follow” me, or whatever the equivalent is on a given social media network. (My feelings will not be hurt.)
  • Remove, delete or make private any messages you have received from or sent to me.
  • Remove, delete or make private any messages mentioning me you have sent to or received from third parties.
  • Remove any “tags” identifying me in a photo you have shared on social media.
  • Remove me from any online contact list, either until you see an “all-clear” message here, or permanently.

You are better able than I to judge if any of the above steps are warranted in your specific situation.

Be safe, be careful and know your rights.